dovecot is not parsing the variables in dovecot-ldap.conf.ext correctly

Bug #1893543 reported by Luke Schierer
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dovecot (Ubuntu)
Expired
Low
Unassigned

Bug Description

My dovecot users log in as user@domain, with the ldap directory set up with a couple of different OUs, with one OU per domain. the users in the OUs overlap. if I set

luke@schierer@littera001:/etc/dovecot$ sudo grep -v ^# dovecot-ldap.conf.ext | uniq

hosts = censor001.plerumque.thecrazyguys.net

tls = yes
tls_ca_cert_dir = /etc/ssl/certs
tls_require_cert = allow

debug_level = 4

auth_bind = yes

base = ou=%d,dc=thecrazyguys,dc=net

scope = subtree

user_filter = (&(objectClass=posixAccount)(uid=%n))

pass_filter = (&(objectClass=posixAccount)(uid=%n))

blocking = no
luke@schierer@littera001:/etc/dovecot$

then I get a search base of
ou=,dc=thecrazyguys,dc=net which is invalid

I was experimenting, and I tried
base = dc=%d,dc=thecrazyguys,dc=net
which produces a search base of
dc=domain,dc=thecrazyguys,dc=net
which would be correct, except that my ldap tree is set up with OUs and not an extra DC component.

for whatever reason, it will do variable substitution for dc=%d, but not for ou=%d. this is certainly not documented, and seems like wrong behavior, since having an ou in a search base is valid.

luke@schierer@littera001:/etc/dovecot$ lsb_release -rd
Description: Ubuntu 18.04.5 LTS
Release: 18.04
luke@schierer@littera001:/etc/dovecot$

luke@schierer@littera001:/etc/dovecot$ dpkg -l | grep -i dovecot
ii dovecot-core 1:2.2.33.2-1ubuntu4.6 amd64 secure POP3/IMAP server - core files
ii dovecot-imapd 1:2.2.33.2-1ubuntu4.6 amd64 secure POP3/IMAP server - IMAP daemon
ii dovecot-ldap 1:2.2.33.2-1ubuntu4.6 amd64 secure POP3/IMAP server - LDAP support
ii dovecot-pop3d 1:2.2.33.2-1ubuntu4.6 amd64 secure POP3/IMAP server - POP3 daemon
luke@schierer@littera001:/etc/dovecot$

Revision history for this message
Bryce Harrington (bryce) wrote :

There is a reference to a similar issue, of uo=%d,... resulting in uo=,... here:

https://dovecot.org/pipermail/dovecot/2014-June/096513.html
https://dovecot.org/pipermail/dovecot/2014-June/096518.html

The latter suggests there are some search modes (e.g. -A) where there isn't a domain defined for a user, since the search acts on multiple users. You didn't specify how you're using the search base you referenced, so not sure whether this is relevant for your case. If what's discussed in that mail thread doesn't match your use case, I would suggest raising your question on that Dovecot upstream mailing list; they will know what is going on better than us. Also, if the behavior is not a bug, then you might suggest where you had looked in the docs, since that place is probably where a mention should be made. If you raise this discussion there, please include a link on this bug report so we can follow up. If the discussion results in patches they may be worth considering SRUing them to 18.04.

Changed in dovecot (Ubuntu):
status: New → Incomplete
Revision history for this message
Luke Schierer (lschierer) wrote :

Those list posts both speak to working dovecot configurations (dovecot is working for imap) where the doveadm command does not work. The above snippets are from my /etc/dovecot/dovecot-ldap.conf.ext file which is referenced by /etc/dovecot/conf.d/auth-ldap.conf.ext file. Thus my imap connections aren't working at all. I do not see any where in the man page of the commented out in-file documentation to indicate that I can change the way dovecot uses the search base for its default searches as part of authentication.

I've posted upstream, we'll see if I get a reply. https://dovecot.org/pipermail/dovecot/2020-August/119819.html

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for dovecot (Ubuntu) because there has been no activity for 60 days.]

Changed in dovecot (Ubuntu):
status: Incomplete → Expired
Changed in dovecot (Ubuntu):
status: Expired → New
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Hello Luke,

Based on the discussion posted, I could not infer if you have progressed in diagnosing the issue, or if you're still stuck. Do you have more news about the bug that you can share with us? Thanks.

Changed in dovecot (Ubuntu):
status: New → Incomplete
Revision history for this message
Luke Schierer (lschierer) wrote :

Upstream's mailing list was very unhelpful. I'm essentially stuck on this.

Revision history for this message
Paride Legovini (paride) wrote :

Hello Luke,

Did you perhaps try the same setup on Ubuntu Xenial or Focal? If the behavior of Dovecot changed between releases then we'd have a action to take on the Ubuntu side: look for the change that introduced (or fixed) the problem in the past versions of the dovecot package and evaluate the possibility of shipping a fix for the supported Ubuntu releases.

I'm setting the Importance of this bug report to Low, as in my understanding the use case you report is uncommon. If you don't agree with this feel free to raise its Importance but please provide a rationale, helping us better understand the scope of the problem. Thanks!

Changed in dovecot (Ubuntu):
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for dovecot (Ubuntu) because there has been no activity for 60 days.]

Changed in dovecot (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers